Suppressing http headers from web sphere application server
Click here to load reader
-
Upload
dave-hay -
Category
Technology
-
view
3.789 -
download
4
Transcript of Suppressing http headers from web sphere application server
Suppressing HTTP Headers from WebSphere Application Server
18 December 2013 Version 0.5
Dave HayIBM Software Services for WebSphere (ISSW)
[email protected]+44 7802 918423
The Problem
● Our client has identified a risk, in terms of providing too much information to a potential attacker, due to WebSphere Application Server (WAS) returning it's version string in the HTTP headers returned from a simple HTTPS request.
This is what we see
● This is from IBM BPM Standard 7.5.1.1 ( Process Center )
This is how we resolve it
● WAS includes the ability to override certain HTTP headers.
● Overrides include: -
ServerHeaderValue – Allows Server Header to be set to a custom stringRemoveServerHeader – Allows Server Header to be completed removed
● This is documented in the Information Center ( see Bibliography )
How to set HTTP Headers - 1/2
How to set HTTP Headers - 2/2
OR
Example – Using ServerHeaderValue
Example – Using RemoveServerHeader
Backup
● The same “risk” has been identified with IBM HTTP Server.
● This can be mitigated by adding: -
AddServerHeader OffServerTokens ProdServerSignature Off
to the IHS httpd.conf file.
Bibliography
WAS 8.0 - Information Center - HTTP transport channel custom properties
WAS 7.0 – Information Center - HTTP transport custom properties
Apache Documentation - ServerSignature Directive
Apache Documentation - ServerTokens Directive
IHS Documentation - AddServerHeader Directive